Commit 472237b6 authored by Pei Li's avatar Pei Li Committed by Kent Overstreet

bcachefs: Fix shift-out-of-bounds in bch2_blacklist_entries_gc

This series fix the shift-out-of-bounds issue in
bch2_blacklist_entries_gc().

Instead of passing 0 to eytzinger0_first() when iterating the entries,
we explicitly check 0 and initialize i to be 0.

syzbot has tested the proposed patch and the reproducer did not trigger
any issue:

Reported-and-tested-by: syzbot+835d255ad6bc7f29ee12@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=835d255ad6bc7f29ee12Signed-off-by: default avatarPei Li <peili.dev@gmail.com>
Signed-off-by: default avatarKent Overstreet <kent.overstreet@linux.dev>
parent 211c581d
...@@ -232,7 +232,7 @@ bool bch2_blacklist_entries_gc(struct bch_fs *c) ...@@ -232,7 +232,7 @@ bool bch2_blacklist_entries_gc(struct bch_fs *c)
BUG_ON(nr != t->nr); BUG_ON(nr != t->nr);
unsigned i; unsigned i;
for (src = bl->start, i = eytzinger0_first(t->nr); for (src = bl->start, i = t->nr == 0 ? 0 : eytzinger0_first(t->nr);
src < bl->start + nr; src < bl->start + nr;
src++, i = eytzinger0_next(i, nr)) { src++, i = eytzinger0_next(i, nr)) {
BUG_ON(t->entries[i].start != le64_to_cpu(src->start)); BUG_ON(t->entries[i].start != le64_to_cpu(src->start));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment